Providing fine-grained access remote command execution for virtual machine instances in a distributed computing environment

What is claimed is: 1. A computer-implemented method, comprising: under the control of one or more computer systems that execute instructions, receiving, from an administrator of an account provided by a computing resource service provider, a first selection of a command document, the first selection received through a first application programming interface, the command document including: a set of commands for performing one or more operations against a virtual machine instance provided by the computing resource service provider; and a set of parameters, the set of parameters including a parameter that specifies a virtual machine instance to which the one or more operations are to be performed; obtaining a policy that grants permission to execute the set of commands included in the command document; as a result of receiving, from the administrator, a request to associate an entity with the policy, causing a policy management service of the computing resource service provider to associate the entity with the policy; receiving, from the entity through a second application programming interface, a second selection of the command document; the second selection specifying at least one value for the set of parameters, the at least one value including an identity of the virtual machine instance; as a result of verifying that the virtual machine instance is capable of executing the set of commands on behalf of the entity according to the policy, causing the set of commands to be executed at the virtual machine instance by providing the set of commands to a software agent running on the virtual machine instance; receiving a response from the software agent, the response indicating an execution status of the set of commands; and providing the status to an interface of the entity. 2. The computer-implemented method of claim 1 , wherein verifying that the virtual machine instance is capable of executing the set of commands on behalf of the entity according to the policy includes: validating, with the policy management service, that the entity is associated with the policy; validating, with the policy management service, that the entity has access to the virtual machine instance indicated by the identity; and verifying that the virtual machine instance is responsive. 3. The computer-implemented method of claim 1 , wherein: the computer-implemented method further comprises storing, as result of a determination that the virtual machine instance is an unresponsive virtual machine instance, the set of commands in a queue in a form of a queued set of commands; verifying that the virtual machine instance is capable of executing the set of commands includes determining that the unresponsive virtual machine instance has become responsive; and causing the set of commands to be executed includes: obtaining the queued set of commands from the queue; and causing the queued set of commands to be executed at the virtual machine instance. 4. The computer-implemented method of claim 1 , further comprising: updating, based at least in part on the execution status, a log of execution attempts for the virtual machine instance in a database; receiving, from the administrator, a second request to view the log of execution attempts for the virtual machine instance; and providing, in response to the second request, the log of execution attempts, including the execution status and details of attempts to execute commands at the virtual machine instance, to an interface of the administrator. 5. A system, comprising: one or more processors; and memory including instructions that, as a result of execution by the one or more processors, cause the system to: receive a selection of a command document, the command document specifying one or more operations and a set of parameters, the set of parameters specifying at least one resource; associate a user with a policy that grants permission to the user to execute the command document; receive an execution request from the user, the execution request indicating the command document and a set of parameter values associated with the set of parameters; verify that the at least one resource is able to perform the one or more operations on behalf of the user; and cause the one or more operations of the command document to attempt to be performed upon the least one resource in accordance with the set of parameters. 6. The system of claim 5 , wherein the command document specifies the one or more operations and the set of parameters using a data exchange format. 7. The system of claim 5 , wherein the selection and the execution request are received by the system through one or more of: a command line interface, a web interface console, or a programmatic call from an executing software application. 8. The system of claim 5 , wherein: the set of parameter values include a tag value; and the instructions that cause the system to cause the one or more operations to be executed upon the at least one resource include instructions that cause the system to cause the one or more operations to be executed asynchronously upon a set of resources that have been tagged with the tag value. 9. The system of claim 5 , wherein the instructions further include instructions that cause the system to: receive a termination request, wherein the termination request specifies the command document; make a determination whether an execution status of the one or more operations indicates that the command document is being executed upon the at least one resource; depending at least in part on the determination; submit a cancellation request to at least one software agent for the at least one resource; and update the execution status of the one or more operations. 10. The system of claim 5 , wherein the instructions that cause the system to verify that the at least one resource is able to perform the one or more operations include instructions that cause the system to: verify that the at least one resource is responsive; and verify that the user has access to perform the one or more operations upon the at least one resource. 11. The system of claim 10 , wherein the instructions that cause the system to verify that the at least one resource is responsive include instructions that cause the system to determine whether a duration of time since a last heartbeat was received has reached a value relative to a threshold. 12. The system of claim 5 , wherein the instructions further include instructions that cause the system to: store, in a log of execution attempts in persistent storage for the at least one resource, a status of execution of the one or more operations; receive a request; from a requestor, to view the log of execution attempts for the at least one resource; and provide to an interface of the requestor, in response to the request, the log of execution attempts, including the status of execution and details of attempts to perform operations upon the at least one resource. 13. The system of claim 12 , wherein the instructions further include instructions that cause the system to launch a sweeper application that removes, from the persistent storage, statuses of execution that exceed a threshold age limit. 14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least: receive a selection of a document; the document including a command and a parameter; cause a user to be associated with a policy that grants permission to execute the document